ipset-dns

ipset-dns is a lightweight DNS forwarding server that adds all resolved IPs
to a given netfilter ipset. It is designed to be
used in conjunction with dnsmasq's
upstream server directive.

Practical use cases include routing over a given gateway traffic for particular
web services or webpages that do not have a priori predictable IP addresses and
instead rely on dizzying arrays of DNS resolutions.

Upstream Dnsmasq Support

Why?

Some ISPs throttle connections to services like YouTube. Other times,
you live places where there's no Netflix/Pandora/Hulu, but you've got a VPN.

The problem is, you don't want to route all your internet traffic over VPN -- just
for YouTube and Pandora, say. It'd be nice to just whitelist a static IP range,
but some services, like YouTube, have a thousands of caching servers in a modicum
of IP ranges, and it's just too much of a hassle to compile the list beforehand.

So instead, you put ipset-dns on your router, and then everyone and every
XBox/PS3/whatever on your wifi network will benefit from the superior
bandwidth and/or geo-availability.

Usage

# ipset-dns name-of-ipset listening-port upstream-dns-server

ipset-dns binds only to localhost. It will daemonize unless the NO_DAEMONIZE
environment variable is set.

Building

Linux >= 2.6.32:

$ make

Linux >= 2.6.16 or >= 2.4.36:

$ make OLD_IPSET=1

Example

In dnsmasq.conf:

server=/c.youtube.com/127.0.0.1#1919

Make an ipset:

# ipset -N youtube iphash

Start the ipset-dns server:

# ipset-dns youtube 1919 8.8.8.8

Query a hostname:

# host r4---bru02t12.c.youtube.com
r4---bru02t12.c.youtube.com is an alias for r4.bru02t12.c.youtube.com.
r4.bru02t12.c.youtube.com has address 74.125.216.51

The network interfaces tun11 and tun12 are assumed to be OpenVPN tunnels,
though they may be any other kind of interface with a route. These devices are
assumed to have some form of masquerading and IP forwarding turned on already.

The mangleiptables table is used to set a firewall mark on packets that
match an ipset tended to by ipset-dns. A routing table is created and a rule
is entered that sends packets marked by iptables to the correct routing table.
Finally, a default route is given to the marked routing table.

Two ipset-dns daemons are started, one for each of the routes, using the ports
given by dnsmasq. Lastly, SIGHUP is sent to dnsmasq to flush its cache.